Java Code Examples for io.netty.handler.ssl.OpenSsl#isAvailable()

@Override
public List<String> get() {
    List<String> ciphers;
    if (OpenSsl.isAvailable()) {
        // TODO: consider switching to the list of all available ciphers using OpenSsl.availableCipherSuites()
        ciphers = getBuiltInCipherList();
    } else {
        ciphers = getEnabledJdkCipherSuites();

        if (ciphers.isEmpty()) {
            // could not retrieve the list of enabled ciphers from the JDK SSLContext, so use the hard-coded list
            ciphers = getBuiltInCipherList();
        }
    }

    return ciphers;
}
 

private static SslProvider createSslProvider(BridgeServerConfig serverConfig) {
   switch (serverConfig.getTlsProvider()) {
   case BridgeServerConfig.TLS_PROVIDER_JDK:
   case BridgeServerConfig.TLS_PROVIDER_DEFAULT:
      logger.info("using jdk ssl provider");
      return SslProvider.JDK;

   case BridgeServerConfig.TLS_PROVIDER_OPENSSL:
      if (!OpenSsl.isAvailable()) {
         throw new RuntimeException("could not initialize openssl ssl provider", OpenSsl.unavailabilityCause());
      }

      logger.info("using openssl ssl provider");
      return SslProvider.OPENSSL_REFCNT;

   default:
      throw new RuntimeException("unknown ssl provider: " + serverConfig.getTlsProvider());
   }
}
 

@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    serverContexts.add(new JdkSslServerContext(CERT_FILE, KEY_FILE));

    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(new JdkSslClientContext(CERT_FILE));

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        serverContexts.add(new OpenSslServerContext(CERT_FILE, KEY_FILE));
        clientContexts.add(new OpenSslClientContext(CERT_FILE));
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            params.add(new Object[] { sc, cc });
        }
    }
    return params;
}
 

@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(new JdkSslClientContext(CERT_FILE));

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        OpenSslServerContext context = new OpenSslServerContext(CERT_FILE, KEY_FILE);
        serverContexts.add(context);
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            for (int i = 0; i < 32; i++) {
                params.add(new Object[] { sc, cc});
            }
        }
    }

    return params;
}
 

@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE).sslProvider(SslProvider.JDK).build());

    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(CERT_FILE).build());

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE)
                                            .sslProvider(SslProvider.OPENSSL).build());
        clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL)
                                            .trustManager(CERT_FILE).build());
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            params.add(new Object[] { sc, cc });
        }
    }
    return params;
}
 

@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE).sslProvider(SslProvider.JDK).build());

    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(CERT_FILE).build());

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE)
                                            .sslProvider(SslProvider.OPENSSL).build());
        clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL)
                                            .trustManager(CERT_FILE).build());
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            params.add(new Object[] { sc, cc });
        }
    }
    return params;
}
 

/**
 * Determines if Netty OpenSSL support is available and applicable based on the configuration
 * in the given TransportOptions instance.
 *
 * @param options
 * 		  The configuration of the Transport being created.
 *
 * @return true if OpenSSL support is available and usable given the requested configuration.
 */
public static boolean isOpenSSLPossible(TransportOptions options) {
    boolean result = false;

    if (options.isUseOpenSSL()) {
        if (!OpenSsl.isAvailable()) {
            LOG.debug("OpenSSL could not be enabled because a suitable implementation could not be found.", OpenSsl.unavailabilityCause());
        } else if (options.getSslContextOverride() != null) {
            LOG.debug("OpenSSL could not be enabled due to user SSLContext being supplied.");
        } else if (!OpenSsl.supportsKeyManagerFactory()) {
            LOG.debug("OpenSSL could not be enabled because the version provided does not allow a KeyManagerFactory to be used.");
        } else if (options.isVerifyHost() && !OpenSsl.supportsHostnameValidation()) {
            // Keep deprecated check for now, older netty-tcnative versions required it and we don't control the version used.
            LOG.debug("OpenSSL could not be enabled due to verifyHost being enabled but not supported by the provided OpenSSL version.");
        } else if (options.getKeyAlias() != null) {
            LOG.debug("OpenSSL could not be enabled because a keyAlias is set and that feature is not supported for OpenSSL.");
        } else {
            LOG.debug("OpenSSL Enabled: Version {} of OpenSSL will be used", OpenSsl.versionString());
            result = true;
        }
    }

    return result;
}
 

@Override
public List<String> get() {
    List<String> ciphers;
    if (OpenSsl.isAvailable()) {
        // TODO: consider switching to the list of all available ciphers using OpenSsl.availableCipherSuites()
        ciphers = getBuiltInCipherList();
    } else {
        ciphers = getEnabledJdkCipherSuites();

        if (ciphers.isEmpty()) {
            // could not retrieve the list of enabled ciphers from the JDK SSLContext, so use the hard-coded list
            ciphers = getBuiltInCipherList();
        }
    }

    return ciphers;
}
 

/**
 * Returns OpenSSL if available, otherwise returns the JDK provider.
 */
private static SslProvider defaultSslProvider() {
  if (OpenSsl.isAvailable()) {
    logger.log(Level.FINE, "Selecting OPENSSL");
    return SslProvider.OPENSSL;
  }
  Provider provider = findJdkProvider();
  if (provider != null) {
    logger.log(Level.FINE, "Selecting JDK with provider {0}", provider);
    return SslProvider.JDK;
  }
  logger.log(Level.INFO, "Java 9 ALPN API unavailable (this may be normal)");
  logger.log(Level.INFO, "netty-tcnative unavailable (this may be normal)",
      OpenSsl.unavailabilityCause());
  logger.log(Level.INFO, "Conscrypt not found (this may be normal)",
      ConscryptHolder.UNAVAILABILITY_CAUSE);
  logger.log(Level.INFO, "Jetty ALPN unavailable (this may be normal)",
      JettyTlsUtil.getJettyAlpnUnavailabilityCause());
  throw new IllegalStateException(
      "Could not find TLS ALPN provider; "
      + "no working netty-tcnative, Conscrypt, or Jetty NPN/ALPN available");
}
 

private static void setUseOpenSslAndDumpOpenSslInfo() {
    final boolean useOpenSsl = getBoolean("useOpenSsl", true);
    if (!useOpenSsl) {
        // OpenSSL explicitly disabled
        Flags.useOpenSsl = false;
        dumpOpenSslInfo = false;
        return;
    }
    if (!OpenSsl.isAvailable()) {
        final Throwable cause = Exceptions.peel(OpenSsl.unavailabilityCause());
        logger.info("OpenSSL not available: {}", cause.toString());
        Flags.useOpenSsl = false;
        dumpOpenSslInfo = false;
        return;
    }
    Flags.useOpenSsl = true;
    logger.info("Using OpenSSL: {}, 0x{}", OpenSsl.versionString(),
                Long.toHexString(OpenSsl.version() & 0xFFFFFFFFL));
    dumpOpenSslInfo = getBoolean("dumpOpenSslInfo", false);
    if (dumpOpenSslInfo) {
        final SSLEngine engine = SslContextUtil.createSslContext(
                SslContextBuilder::forClient,
                false,
                ImmutableList.of()).newEngine(ByteBufAllocator.DEFAULT);
        logger.info("All available SSL protocols: {}",
                    ImmutableList.copyOf(engine.getSupportedProtocols()));
        logger.info("Default enabled SSL protocols: {}", SslContextUtil.DEFAULT_PROTOCOLS);
        ReferenceCountUtil.release(engine);
        logger.info("All available SSL ciphers: {}", OpenSsl.availableJavaCipherSuites());
        logger.info("Default enabled SSL ciphers: {}", SslContextUtil.DEFAULT_CIPHERS);
    }
}
 

/** {@link Provides} the {@link SslProvider} used by instances of {@link SslClientInitializer} */
@Provides
@Singleton
static SslProvider provideSslProvider() {
  // Prefer OpenSSL.
  return OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK;
}
 

public static SslProvider createSslProvider() {
   Supplier<String> sslProvider = ConfigService.supplier("iris.gateway.ssl.provider", String.class, "");

   Security.addProvider(new BouncyCastleProvider());

   switch (sslProvider.get()) {
   case "":
   case "openssl":
      if (OpenSsl.isAvailable()) {
         log.debug("using openssl for gateway ssl provider");
         return openssl();
      } else {
         if (!"".equals(sslProvider.get())) {
            log.warn("openssl ssl provider requested but not available, using jdk ssl for gateway connection:", OpenSsl.unavailabilityCause());
         } else {
            log.debug("using jdk for gateway ssl provider: ", OpenSsl.unavailabilityCause());
         }
         return jdk();
      }

   case "jdk":
      log.debug("using jdk for gateway ssl provider");
      return jdk();

   default:
      log.warn("unknown ssl provider, using jdk by default");
      return jdk();
   }
}
 

public static boolean isOpenSslAvailable() {
    if (openSslAvailable != null) {
        return openSslAvailable;
    }
    if (ENABLE_OPENSSL && OpenSsl.isAvailable()) {
        OpenSsl.ensureAvailability();
        openSslAvailable = true;
    } else {
        Throwable cause = OpenSsl.unavailabilityCause();
        LOG.log(Level.INFO, "Native OpenSSL support is not available on this platform: " + cause);
        openSslAvailable = false;
    }
    return openSslAvailable;
}
 

@Parameters(name = "{0}")
public static SslProvider[] data() {
  return OpenSsl.isAvailable()
      ? new SslProvider[] {SslProvider.JDK, SslProvider.OPENSSL}
      : new SslProvider[] {SslProvider.JDK};
}
 

protected boolean isOpenSSLSupported() {
   if (sslProvider.equals(TransportConstants.OPENSSL_PROVIDER) || clientSslProvider.equals(TransportConstants.OPENSSL_PROVIDER)) {
      return OpenSsl.isAvailable();
   }
   return true;
}
 

@Bean
@ConditionalOnMissingBean
StorageComponent storage(
    @Value("${zipkin.storage.strict-trace-id:true}") boolean strictTraceId,
    @Qualifier("projectId") String projectId,
    ClientFactory clientFactory,
    ZipkinStackdriverStorageProperties properties,
    Credentials credentials) {
  if (!OpenSsl.isAvailable() && !jettyAlpnAvailable()) {
    throw new IllegalStateException(
        "OpenSsl or ALPN is required. This usually requires either JDK9+, jetty-alpn, or "
            + "netty-tcnative-boringssl-static");
  }

  ClientOptionsBuilder options = ClientOptions.builder();

  HttpLogging httpLogging = properties.getHttpLogging();
  if (httpLogging != HttpLogging.NONE) {
    LoggingClientBuilder loggingBuilder = LoggingClient.builder()
        .requestLogLevel(LogLevel.INFO)
        .successfulResponseLogLevel(LogLevel.INFO);
    switch (httpLogging) {
      case HEADERS:
        loggingBuilder.contentSanitizer(unused -> "");
        break;
      case BASIC:
        loggingBuilder.contentSanitizer(unused -> "");
        loggingBuilder.headersSanitizer(unused -> HttpHeaders.of());
        break;
      default:
        break;
    }
    options.decorator(loggingBuilder.newDecorator());
  }

  return StackdriverStorage.newBuilder(properties.getApiHost())
      .projectId(projectId)
      .strictTraceId(strictTraceId)
      .clientFactory(clientFactory)
      .clientOptions(options
          .decorator(CredentialsDecoratingClient.newDecorator(credentials))
          .build())
      .build();
}
 

private void addTlsTrustOptions(final ProtonClientOptions clientOptions) {

        if (config.isTlsEnabled()) {
            clientOptions.setSsl(true);
        }

        if (clientOptions.getTrustOptions() == null) {
            final TrustOptions trustOptions = config.getTrustOptions();
            if (trustOptions != null) {
                clientOptions.setSsl(true).setTrustOptions(trustOptions);
            }
        }

        if (clientOptions.isSsl()) {

            final boolean isOpenSslAvailable = OpenSsl.isAvailable();
            final boolean supportsKeyManagerFactory =  OpenSsl.supportsKeyManagerFactory();
            final boolean useOpenSsl = isOpenSslAvailable && supportsKeyManagerFactory;

            logger.debug("OpenSSL [available: {}, supports KeyManagerFactory: {}]",
                    isOpenSslAvailable, supportsKeyManagerFactory);

            if (useOpenSsl) {
                logger.debug("using OpenSSL [version: {}] instead of JDK's default SSL engine",
                        OpenSsl.versionString());
                clientOptions.setSslEngineOptions(new OpenSSLEngineOptions());
            } else {
                logger.debug("using JDK's default SSL engine");
            }

            if (config.isHostnameVerificationRequired()) {
                clientOptions.setHostnameVerificationAlgorithm("HTTPS");
            } else {
                clientOptions.setHostnameVerificationAlgorithm("");
            }
            clientOptions.getEnabledSecureTransportProtocols()
                .forEach(protocol -> clientOptions.removeEnabledSecureTransportProtocol(protocol));
            config.getSecureProtocols().forEach(protocol -> {
                logger.debug("enabling secure protocol [{}]", protocol);
                clientOptions.addEnabledSecureTransportProtocol(protocol);
            });
        }
    }
 

public static void main(String[] args) throws Exception {
    // We assume there's a private key.
    PrivateKey privateKey = null;

    // Step 1: Load the certificate chain for netty.io. We'll need the certificate
    // and the issuer's certificate and we don't need any of the intermediate certs.
    // The array is assumed to be a certain order to keep things simple.
    X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem");

    X509Certificate certificate = keyCertChain[0];
    X509Certificate issuer = keyCertChain[keyCertChain.length - 1];

    // Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded
    // into the certificate! Notice that it's a HTTP URL.
    URI uri = OcspUtils.ocspUri(certificate);
    System.out.println("OCSP Responder URI: " + uri);

    if (uri == null) {
        throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder");
    }

    // Step 3: Construct the OCSP request
    OCSPReq request = new OcspRequestBuilder()
            .certificate(certificate)
            .issuer(issuer)
            .build();

    // Step 4: Do the request to the CA's OCSP responder
    OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS);
    if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
        throw new IllegalStateException("response-status=" + response.getStatus());
    }

    // Step 5: Is my certificate any good or has the CA revoked it?
    BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
    SingleResp first = basicResponse.getResponses()[0];

    CertificateStatus status = first.getCertStatus();
    System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status));
    System.out.println("This Update: " + first.getThisUpdate());
    System.out.println("Next Update: " + first.getNextUpdate());

    if (status != null) {
        throw new IllegalStateException("certificate-status=" + status);
    }

    BigInteger certSerial = certificate.getSerialNumber();
    BigInteger ocspSerial = first.getCertID().getSerialNumber();
    if (!certSerial.equals(ocspSerial)) {
        throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial);
    }

    // Step 6: Cache the OCSP response and use it as long as it's not
    // expired. The exact semantics are beyond the scope of this example.

    if (!OpenSsl.isAvailable()) {
        throw new IllegalStateException("OpenSSL is not available!");
    }

    if (!OpenSsl.isOcspSupported()) {
        throw new IllegalStateException("OCSP is not supported!");
    }

    if (privateKey == null) {
        throw new IllegalStateException("Because we don't have a PrivateKey we can't continue past this point.");
    }

    ReferenceCountedOpenSslContext context
        = (ReferenceCountedOpenSslContext) SslContextBuilder.forServer(privateKey, keyCertChain)
            .sslProvider(SslProvider.OPENSSL)
            .enableOcsp(true)
            .build();

    try {
        ServerBootstrap bootstrap = new ServerBootstrap()
                .childHandler(newServerHandler(context, response));

        // so on and so forth...
    } finally {
        context.release();
    }
}
 

@Provides
static SslProvider provideSslProvider() {
  // Prefer OpenSSL.
  return OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK;
}
 

@Parameters(name =
        "{index}: serverEngine = {0}, clientEngine = {1}, renegotiation = {2}, " +
        "serverUsesDelegatedTaskExecutor = {3}, clientUsesDelegatedTaskExecutor = {4}, " +
        "autoRead = {5}, useChunkedWriteHandler = {6}, useCompositeByteBuf = {7}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    serverContexts.add(new JdkSslServerContext(CERT_FILE, KEY_FILE));

    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(new JdkSslClientContext(CERT_FILE));

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        serverContexts.add(new OpenSslServerContext(CERT_FILE, KEY_FILE));
        clientContexts.add(new OpenSslClientContext(CERT_FILE));
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            for (RenegotiationType rt: RenegotiationType.values()) {
                if (rt != RenegotiationType.NONE &&
                    (sc instanceof OpenSslContext || cc instanceof OpenSslContext)) {
                    // TODO: OpenSslEngine does not support renegotiation yet.
                    continue;
                }

                Renegotiation r;
                if (rt == RenegotiationType.NONE) {
                    r = Renegotiation.NONE;
                } else {
                    r = new Renegotiation(rt, "SSL_RSA_WITH_RC4_128_SHA");
                }

                for (int i = 0; i < 32; i++) {
                    params.add(new Object[] {
                            sc, cc, r,
                            (i & 16) != 0, (i & 8) != 0, (i & 4) != 0, (i & 2) != 0, (i & 1) != 0 });
                }
            }
        }
    }

    return params;
}